Off line cash card system and method

ABSTRACT

A &#34;bank&#34; cash card system for handling fund transfer transactions between a payor and a payee having a magnetic &#34;hysteresis&#34; security arrangement. A cash card has a magnetic stripe on which the available cash balance, the identification and security information are scramble recorded. A transaction register machine reads data from the card, carries out the transaction and records the new account balance on the card. The modified information is &#34;restored&#34; on the card is in the form of a rescrambled code. The transaction register machine also includes a magnetic tape of the cassette type or disk for storing each transaction thereon for further processing of the information at a remote data processing center. The transaction register machine further includes a main keyboard on the side of the payee for displaying the cash balance, entering the total amount of the sale and recording the new cash balance on the card. The main keyboard is responsive to the card holder&#39;s or customer&#39;s keyboard which has a slot for insertion of the card for verification by entering the correct identification number known only to the card holder. A random surface pattern on a given portion of the card is preferably scanned to produce a digital number uniquely identifying the card.

RELATED APPLICATIONS

This application is a continuation-in-part of Ser. No. 694,472 filedJan. 23, 1985 which was a file wrapper continuation of Ser. No. 615,708filed May 30, 1984 which was a file wrapper continuation of Ser. No.263,206 filed May 13, 1981 which was a continuation-in-part applicationof Ser. No. 93,538, filed Nov. 13, 1977 all now abandoned.

BACKGROUND OF INVENTION

This invention relates in general to banking cards, and morespecifically to cash card systems. The invention provides an "off-line"system for the transfer of funds in commercial, financial and tradesales transactions in which the transferee does not communicate with thefund holder at the time of a transaction.

Recent trends have pointed to the development of efficient electronictools which eliminate the need for the use of cash, cut down onoperating costs and speed the transfer of funds in every day businesstransactions requiring the exchange of money or checks for the purchaseof goods, payment of services and any other transactions of similarcharacter, and all this with complete security and a minimal risk oferror or fraud.

Systems heretofore developed have certain limitations in that they arecostly, complicated and cumbersome, the manufacturing, installation andmaintenance costs are relatively high and the systems have limited useand high cost.

"On-line" systems in which each transaction is communicated to a centralcomputer of course provide high reliability but are too expensive forpractical use. "Off-line" systems in which transactions are stored ateach terminal and periodically delivered or transmitted to a centralfacility are less expensive but lack the security and reliability of"on-line" systems.

U.S. Pat. No. 3,845,277--Voss shows a prior art "off-line" system thatseems to be representative of the state of the art.

SUMMARY OF THE INVENTION

The present invention provides an "off-line" cash card system that isefficient, secure and relatively inexpensive to provide and operate.Furthermore, the system is highly secure.

It is relatively less complex that known "off-line" systems and is botheasy and inexpensive to operate and easily adaptable for universal use.The system provided by this invention can completely eliminate the useof cash money, invoices, multicarbons, monthly bills, payroll checks,deposit slips, mailing costs, reduce personnel-time-load-cost, balancebook ledgers and all other paper with the exception of the customersreceipt after each credit/debit transaction. The customer can acquirecash and/or purchases to the limit of their cash and credit balances forall commercial transactions by using a plastic card which can carryother selected major credit cards out of a possible 256 selections, upto a limit of 80 cards, thereby reducing the number of credit cardsand/or wallet-load to one (1) card/person. Making it more convenient tocarry and use and with which unauthorized deposits, and withdrawals makefraud or tampering, in the event the card is stolen or lost, practicallyimpossible.

The basic components of the systems of the present invention are a cashcard which is preferably of conventional plastic material containing amagnetic stripe on which the available cash balance, the owner's accountnumber, credit and security information are recorded, and a transactionregister which performs all the functions of a standard cash registerincluding recording the amount of money received and exhibiting theamount of cash sale, and which also can read coded information from thecard, store the information read, and encipher new information onto thecash card, updating the cash card in accordance with the transaction.

The cash card system provided by the present invention includes a novel"hysteresis" security arrangement. Each card is scanned uponpresentation to read a numeric string which had undergone a random"mutation" when previously recorded onto the magnetic stripe. Thisnumeric string, which can be read any number of times but cannot beaccurately copied or re-recorded, serves as one of the enciphering keysfor the data stored on the remainder of the magnetic stripe and enablesthe detection of certain efforts to invade the security of the system.

The transaction register records each cash transaction on a mass storagedevice, such as a magnetic disk, for later processing at a dataprocessing central unit, with stored information being transmitted bytelephone via a modem. Transmission preferably takes place automaticallyunder timer control. The data processing center includes a computer, adisk file system and a printer for processing the information of thetransaction register's disk and maintaining permanent accounts adjustedaccording to the cash card system transactions of the present invention.

To improve security by making copying as difficult as possible, a newnumeric string enciphering key is recorded onto the magnetic stripe eachtime the card is used and this new key is then used to encipher the datato be stored on the magnetic stripe.

These and other features and advantages of the present invention will bemade more clear by the following detailed description of the presentlypreferred embodiment of the invention, read in conjunction with theaccompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a general block diagram of the cash card transaction system ofthe present invention;

FIG. 1A is a detailed block diagram of circuit 60 shown in FIG. 1;

FIG. 2 is a front view of a main keyboard panel of the cash card systemwhich keyboard is used only by an authorized staff member of a retailoutlet;

FIG. 3 is a front view of a keyboard panel of the cash card system whichkeyboard is used only by the card holder;

FIG. 4 is a schematic diagram of a plastic cash card of the typeemployed in the system of the present invention;

FIG. 5 is a block diagram of the cash card system of the presentinvention illustrating a card terminal unit only;

FIG. 6 is a block diagram illustrating the magnetic hysteresis methodused in this invention;

FIG. 7 is a block diagram illustrating the overall interruptarchitecture of the cash card system;

FIG. 8 shows a flow diagram of the initial power on routine executed atthe beginning of each work day;

FIG. 9 shows the flow diagram of the card in slot interrupt routine;

FIG. 10 shows a flow diagram of the PIN key interrupt routine;

FIG. 11 shows a flow diagram of the main keyboard interrupt routine;

FIG. 12 shows a flow diagram of the process card command routine;

FIG. 13 is a flow diagram of the special function interrupt routine;

FIG. 14 is a flow diagram of decode card data routine;

FIG. 15 shows a flow diagram of the clock interrupt routines;

FIG. 16 is a block diagram showing the relationship among the variousbanks and accounts within the cash card system;

FIG. 17 is a flow diagram illustrating transaction processing for debitsincluding purchases and cash withdrawls;

FIG. 18 is a flow diagram illustrating transaction processing forcredits including returned items and deposits;

FIG. 19 is a block diagram illustrating cash card transaction processingfor debits;

FIG. 20 is a block diagram illustrating cash card transaction processingfor credits;

FIG. 21 is a block diagram illustrating major credit card debittransaction processing; and

FIG. 22 is a block diagram illustrating major credit card credittransaction processing.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENT General Description

The electronic fund transfer system of the present invention will bereferred to as the International Cash/Credit Card (ICCC) system. Ageneral block diagram of the system is set forth in FIG. 1.

An power-on-reset circuit 10 activates the system which in turnactivates a microprocessing unit 12 setting the transaction registermachine in operation. The presently preferred microprocessor for use inmicro-processing unit 12 is the Motorola 6800. A clock 14 generatespulses for the microprocessor 12 and therefore for the entire computingsystem.

Programmable Read Only Memory (PROM) components 16,18, and 20, areprogrammed with a real time operating system, bootstrap and utilityroutines. A number of Random Access Memory (RAM) units 22, 24, 26, 28,and 30 are provided to instructions for the main program, encipheringand deciphering algorithms, random number generating routines, antemporary data for each cash card transaction which can be transferredto magnetic disk 50 for storage.

RAM units 22-30 are battery powered so that their contents will not belost when the transaction register is turned off. This allows the mostcritical parts of the security system software to be loaded into RAM atthe factory rather than stored in the magnetic disk. The entiremicroprocessor circuit is encapsulated in plastic in such a way that anyattempt to access the microprocessor bus causes all power to be cut offto RAM and thus all sensitive software or data to be erased.

The card reader/writer 58 is an industry standard type such as the AMPmodel 211 consisting of a magnetic card transport mechanism, dual trackread/write heads, motor and position control logic circuits, and a logicboard which converts the standard F/2F Aiken codes into serial binarydata. In this invention either the standard ATA/IATA Track 1 or the ABATrack 2 are used as the data track and Track 3 is used as the securitytrack. The read/write heads over track 3 are connected directly tocircuit 60. A Hall-effect read head 58B is also positioned over track 3and connected directly to circuit 60.

Asynchronous Communications Interface Adapters (ACIA) 32 and 34 are themodules which couple microprocessing unit 12 to the modem 56 and thecard reader/writer 58. Parallel Interface Adapters (PIA) 36 and 38 areused to control the card reader/writer 58 and either read or generatethe analog security track using the security track read/write circuit60. Microprocessor 12 uses ACIAs 32 and 34 to serialize and transferdata between the microprocessor bus and the modem 56 and the cardreader/writer 58 data track. Circuit 60 is used to process the signalsto or from the security track heads and is shown in detail in FIG. 1A.

Peripheral Interface Adapters (PIA) 40, 42 and 44 allow microprocessor12 to control the PIN keyboard 74, display 76, main keyboard 80, andprinter driver 78 and its associated printer 79.

A timer 46 causes the microprocessor 12 to periodically transfer data toa remote data processing center 53. Timer 46 is also used as a utilitytimer by the microprocessor 12. A Direct Memory Access (DMA) 48, allowsdata to be transferred directly from memory to a disk 50 or from thedisk to memory without going through the microprocessor 12.

The cash card system may be connected to a telephone line outlet 52through the Interface Electronic (IE) module 54 connected to aModulator/Demodulator (Modem) 56 which converts digital informationsignals from microprocessor 12 through ACIA 32 into analog or audiotones which can be transmitted over the telephone line through outlet 52to a typical data processing center 53 connected to a telephone outlet55.

An alarm 62 connected to PIA 38 and IE 64 is provided for sending a"beep" signal warning of error, such as the card has not been insertedcorrectly, keys jammed, machine overflow, etc.

PIN keyboard 74 is connected independently from the main keyboard 80,the function of both of which are described below. Display 76, connectedto PIA 40, is provided for displaying information in numerical and/orwritten form transmitted thereto by signals generated by themicroprocessor 12. Driver 78 connected to PIA 44 conditions the signallevel to the necessary strength to drive printer 79, which prints textupon receiving instructions from microprocessor 12. A key switch 66turns on or off the power for operation of keyboards 74 and 80, display76, driver 78 and printer 79. A power supply 68 converts the a.c.voltage from the current of line outlet 72 into the required voltage forthe transaction register unit. A battery 70 stores energy for back-up inthe event a power failure occurs in the power supply 68.

FIG. 1A is a more detailed block diagram of circuit 60 shown in FIG. 1.Circuit 60 receives signals from a reproduce head 58A and a Hall-effecthead 58B and provides a record signal to a record head 58C. PIA 36receives signals on a bus 60A from an analog/digital converter 60B whichis controlled by a strobe signal on a strobe line CA2. Reproduce head58A provides its signal to a preamplifier 60C which provides anamplified signal via a noise filter 60D to a reproduce operationalamplifier 60E and which provides a signal to the non-inverting input ofa second operational amplifier 60S through a high pass filter 60G. Theoutput of operational amplifier 60S is coupled to the non-invertinginput of comparator 60H.

Variable resistor 60F provides an adjustable reference voltage to theinverting input of comparator 60H through its wiper arm. One end ofresistor 60F is coupled to a fixed voltage reference source the otherend is coupled to ground. The output of comparator 60H is coupled to oneof the inputs of latch 60I. The output of latch 60H is coupled to theCA1 input line of PIA 36 thereby providing the microprocessor anindication of the presence of AC or DC bias in the magnetic card stripesecurity track. The output of operational amplifier 60E is coupled tothe analog input of analog/digital converter 60B which outputs the eightbit digital value of the signal from reproduce head 58A to PIA 36through bus 60A whenever it receives a strobe pulse from line CA2.

The output of Hall-effect head 58B is coupled to the non-inverting inputof operational amplifier 60P which provides an amplified signal throughvariable resistor 60Q to the non-inverting input of comparator 60U. Theoutput of operational amplifier is also coupled to variable resistor 60Tand capacitor 60R which form an adjustable low-pass filter along withvariable resistor 60Q.

The output of comparator 60U is coupled to an input of latch 60I,providing PIA 36 line CA1 an indication of the presence of DC bias inthe magnetic card stripe. The output of PIA 36 is coupled via a bus 60Jto a digital/analog converter 60K, which is strobed by a signal on aline CB2 from PIA 36. The output of digital/analog converter 60K iscoupled to the non-inverting input of an operational amplifier 60L, theoutput of which is coupled to a record driver amplifier 60M.

The output of record amplifier 60M is coupled to the coil of record head58C. The other side of the coil of 58C, as with 58A and 58B, is coupledto ground. A variable resistor 60N has one end coupled to the output ofoperational amplifier 60L and its other end coupled to ground. The wiperarm of variable resistor 60N is coupled to the inverting input ofoperational amplifier 60L. In operation, resistor 60N is adjusted sothat it controls the negative feedback to amplfier 60L so that theoutput of record driver 60M is between 16% and 90% of the media workingrange (S/N to saturation).

As shown if FIG. 2, main keyboard 80 is used solely by the seller orpayee and includes a plurality of keys, as designated generally bynumeral 82, Keys 82 are marked with numerals from 1 to 9 and 0, forentering the amounts of the cash transactions. Keyboard 80 is alsoprovided with an on-off switch, generally designated by the numeral 84,as well as contact points marked STBY, TXMT, RPT(1) and RPT(2). When theswitch 84 is on TXMT contact it activates data transmission to the bankvia the telephone modem 56 after the RUN key indicator 86 is pushed.Indicators are provided, namely, RUN 86, READY 88, INIT, initiator 90,(PIN) "X" 98, "-" 100, "." 102, "+=" 104, CASH 106, ENTER 108, NO TAX110, CLR 112, CE 114, CODE 116, QUERY 118, CREDIT 120, DEBIT 122 andSALE 124. As it is obvious, all these keys are employed for conductingthe cash card transactions according to the system of this invention andare operated by the seller or payee.

FIG. 3 shows PIN Keyboard, generally designated by reference numeral 74,including a plurality of keys 128, marked by numerals from 1 to 9 and 0,for entry of the personal identification number (PIN) by the card numberor payor. The card is inserted into a slot 126 provided thereon. A key130 marked "C" is used for clearing the entry and a key 132 marked "E"is used to signal the transaction register that the PIN number has beenkeyed in. PIN keyboard 74 is operated only by the card holder in secrecyfor security purposes.

FIG. 4 illustrates the configuration of the cash card used in thisinvention. The cash card 100 contains a magnetic stripe 918. Informationis recorded onto the magnetic stripe on either security track 106 ordata tracks 102 and 104. The Data tracks contain a total of 54 bytes andare recorded using standard ABA or IATA formats. The first two bytes ofthe data track (920) contain a 16 bit checksum of the digitized patternrecorded on the security track. This checksum is used to detect a readerror and repeat the read process if required. This checksum is notencrypted. The next 50 bytes on the data track (922) constitute the dataor message to be stored on the card. It is encrypted according to amethod that is described in Program Listing 1. The first two bytes ofthis data field (922) contain the hex pattern AA55. This pattern is usedto determine if the decryption procedure was successful. Any error inthe PIN number, Data Track, or the Security Track will prevent the datatrack from being decrypted hence this pattern will not appear. Followingthe data field is recorded a two byte checksum (924). This checksum isused to detect errors in reading the data track. The security track 3contains three different fields. The first field (926) contains acalibration pattern produced by recording a square wave pattern of astandard level using no bias. It is used to compensate for card agingand mechanical positioning errors. The second field (928) consists of asingle 10 milisecond pulse used to indicate the start of the securityfield. The last field is the security field consisting of 256 points ofanalog data recorded using no bias as explained previously. Each pointhas a duration of 2.4 miliseconds. When the security field is read, itis read at a rate eight times faster than the record rate and each groupof eight values is averaged to yield 256 points along the securityfield. When this security track ls recorded, the record procedure isrepeated two or more times to result in a complex random analog waveformwhich when read, is used as one of the keys by the encryption/decryptionalgorithms described in program listing 1.

Summary of Operation

According to the cash card system of this invention, a person bearing acash card may, in any combination, purchase items or services or obtainmoney, by transferring funds data from his cash card into thetransactionb register disk of the appropriate establishment. As the cashcard is used variable amounts of cash balances are recorded directly onthe card, thereby completely eliminating the use of checks, cash money,credit cards and house charges. Immediate contact between thetransaction register and the bank of either the card bearer or theestablishment where the transaction register is located is eliminated.The system, therefore, always operates in a completely off-line mode andsurpasses on-line systems as to speed, efficiency, cost and security.

As presently comtemplated, a person can acquire a cash card at anymember bank (i.e., a bank subscribing to the cash card system through alead bank which may secure any number of member banks) by depositing anyamount of money in a special interest bearing account, to be called acard holder-ICCC account. This account cannot be diminished by a checkor passbook but only by the use of the cash card. The card holder-ICCCaccount could be adminstered by the member bank according to thecompetitive policies of the member banks with regard to minimumbalances, number of transactions and cost-fee of ICCC card on issue, asexamples. The balance in the ICCC account is recorded on the cash cardto be used at the various transaction registers located at the retailoutlets in the community. The current balance will draw interest at51/4%, or the prevailing rate, at all times from the lead bank or ICCCcomputer and will continue to do so until all the money is spent throughthe ICCC cash card.

As the bearer uses his card, information regarding the appropriateamount of a transaction will be transferred to the transaction registerdisk and recorded. The information is later transmitted to the memberbank, causing the transaction amount to be credited to the member retailoutlet account. In turn, this information is electrically transmittedthrough the local bank to the card holder's account at the ICCC computeror lead bank for debit. In the event cash is desired, the card bearerreceives cash instead of merchandise, but again transaction informationis electronically transmitted as described above via the member banks,crediting the retail outlet and debiting the account of the card bearerheld at the lead bank or ICCC computer, thus eliminiating the need forchecks.

The ICCC card issued by the lead bank through the card bearer's memberbank (or by direct mail through customer's application), has a magneticstripe encoded with the person's name, ID number, and cash balanceenciphered for security purposes. The system will not be activated foroperation by a card unless the right PIN is entered into the transactionregister. Also, the register will not operate unless circuit 60 isinserted in the transaction register for operation. In effect, the cardholder walks out of the bank or any member establishment with the fullamount on deposit in his pocket and is able to spend it as if it werecash, while still earning 51/4% interest, or the prevailing rate on 100%percent of the amount in this account.

Interest rates can also be earned on the balance of a customer's ICCCcard. This can be accomplished at the transaction register (TR) witheach transaction, or the interest earned can be sent by check to eachcustomer quarterly, or the customer can go to the bank each quarter anduse the bank TR for updating interest on the card. In a typical cashcard transaction, the customer would select the items he wishes topurchase. At the sales counter he would insert his card 134 into theslot 126 of the special keyboard 74. The customer would then enter hisPIN by pressing the proper keys 128. The cashier at the establishmentwould then press the query key 118 of the main keyboard 80 for setting adisplay, as at 76, of the customer's available cash balance. The cashierwould then enter the amount of the sale, as with a standard cashregister, which can calculate the price per item, the subtotal, the tax,the transaction fee and the total. After the total is displayed, thecashier presses the sale key 124.

If the PIN is correct and the balance sufficient, the transaction wouldbe recorded by circuit 60 within the transaction register which alsowould print a sales slip showing the sale price, as at 79, write the newcash balance of the card after the transaction and the account number ofthe card, and would record on the card the new cash balance. If thecustomer had requested cash from his card account, the transaction wouldhave been handled in the same manner as the sale, except that the debitkey 122 would have been pressed instead of the sale key 124, eliminatingthe check, imprinter, multi-carbons and lost and stolen card pamphletand other paper used by major credit cards.

The transaction register machine can also handle deposits by thecustomer into his card. For example, a customer can enter a store withhis paycheck and request that the amount of the paycheck be credited tohis card. The card would then be inserted in the slot 126 of thekeyboard 74 and then the PIN would be entered by pressing the properkeys 128. The cashier would then enter the amount on the register bypressing the proper keys 82 and then would press the CREDIT key 120.Thus the customer's card would be updated with the new balance and apermanent record of the transaction would be recorded by circuit 60,eliminating the deposit slip.

Another feature of the transaction register machine is that by settingthe control key 84 on RPT(1) or RPT(2) and pressing the RUN key 86, areport will be printed showing a summary of the daily transactions,which is kept by the retail outlet as a permanent record. This reportwill include the cash, ICCC card and major credit card transactions. Theexact format of a report can be tailored for each retail outlet in thesoftware of the transaction register. RPT(1) and RPT(2) representsettings for two different report formats which can be produced by asingle transaction register.

Either daily or bi-weekly, the information stored on the disk 10 wouldbe transmitted via modem 56 from the cash card transaction registeroutlet to the data processing center 53 of a member bank over thetelephone line at 52. The member bank then processes the diskinformation with the necessary data processing equipment and sends thecoded information to the international cash credit card (ICCC)processing center (ICCC computer) or lead bank. There the information ondisk would be read and decoded, as it would be stored in a scramble codefor security purposes, and the appropriate customer accounts would becredited or debited accordingly.

The data processing center computer, as designated by number 53, of awell known model and type, contains in a disk file, not shown, a recordof every transaction made within the cash card system of the presentinvention. The ICCC computer or lead bank computer will automaticallyupdate the balance of each ICCC card bearer account as the new debit andcredit information is received via the modems of various transactionregisters. The lead bank or ICCC computer will automatically transferfunds between a "member bank-lead bank joint account," located at thelead bank, and a "member bank suspense account." The member bank in turndebits or credits the retail outlet accounts, as required to maintainthe system in balance. A suspense account is primarily used to expediteimmediate clearance of a transaction; it would not be required if thecustomer's account and the retail outlet's account were at the samebank.

For example, as shown in FIG. 17, if a customer purchased $100.00 ofmerchandise with his card at a member retail outlet, a record of thetransaction would be recorded on the disk. When the information on thedisk reaches the ICCC computer or Lead Bank, through the member retailoutlet's bank computer, the card holder's account at the lead bank wouldbe debited $100.00 and the member-lead bank-ICCC joint account credited$100.00. The Lead Bank or ICCC Computer would also automaticallytransfer the necessary funds, in this case $100.00, in the oppositedirection from the member-lead bank-ICCC joint account (float) at thelead bank and credit the member Bank suspense account.

The member bank in turn would debit this suspense account and credit itscustomer, the retail outlet, the $100.00. The retail outlet isimmediately credited, from the suspense account, at the member bank,prior to debiting customer account at the lead bank. This can all bedone within minutes after the lead bank receives the transactioninformation. The lead bank computer or ICCC computer will further printout a daily report showing the status of the ICCC cash card system. Thisincludes a list of cards which have been inactive for a long period oftime, cards which have a zero balance, and cards which may have beenaltered, resulting in incorrect balances and deposits made fraudulentlyor in error.

The operator at the lead bank or ICCC computer data processing centercan request any information or special reports on the internationalcash/credit card system (ICCC) operation from a member bank computer atany time, and vice-versa. Cards which have been lost or stolen can bereported to either the lead bank, member bank or ICCC computer at anytime. If any transaction involving those cards is later detected, thecomputer will immediately issue a special warning report,electronically, to every transaction register at retail outlets throughthe member bank computer. Information about cards lost or stolen will beelectronically transmitted instantly, in the same way, to alltransaction register locations.

System Security

The security of the off-line system of the present invention ismaintained by enciphering the data to be stored on the card's magneticstripe, and storing the enciphered data using a random hysteresismethod. In the presently perferred embodiment, this method will be usedwith magnetic stripe cards but it can be applied to any magnetic media.

FIGS. 4 and 6 further explain enciphering. After the ICCC has beeninserted into the transaction register, hardware 910 randomly generatesa 256-bit digital number K1d, which serves as the first enciphering key.This digital number is converted by a D/A converter 912 to an analogwaveform K1a of that first enciphering key. This waveform is amplifiedby an amplifier 914, and coupled to a transducer 916, which produces arandomly mutated waveform K1a' that is recorded onto security track 102of the ICCC's magnetic stripe 918 by transducer 916. The random mutationis created by recording the amplified original waveform K1a ontomagnetic stripe 918 with no a.c. or d.c. bias and with care taken so asnot to reach the saturation level of magnetic stripe 918.

Next, security track 102 of magnetic stripe 918 is read by transducer916, and the randomly mutated waveform K1a' is sent to A/D converter920, which produces an equivalent 256-bit digital number K1d'. Thisnumber is then combined with the PIN, which serves as a secondenciphering key K2, by random sequence generator array 922 to produce afirst pseudo-random string R1 which is used for enciphering transactiondata to be recorded onto the data track 103 of magnetic stripe 918.There are many enciphering algorithms in existence. One possibleenciphering algorithm, the Rivest Data Encryption Algorithm will bedescribed later.

During the transaction, account information such as the account number,balance, and credit limits are written in enciphered form onto the datatrack 104. When the transaction is completed, the ICCC is ejected fromthe transaction register.

The first data written to the data track 104 during a transaction is adata track header, which is used to determine whether the next use ofthe ICCC is authorized. The header, say a BCD digit, is uniformthroughout the ICCC system. It is enciphered using the pseudo-randomstring R1 key produced by the random hysteresis method described above,and then written onto the data track. The next time the ICCC is used theheader is read and deciphered. Correct deciphering of the data trackheader is confirmation of an authorized use of the ICCC.

The next time the ICCC is used, the data information previously recordedonto the card must be deciphered For deciphering, the procedure is asfollows. When the ICCC is inserted, the randomly mutated waveform (K1a')is read from the data track 104 of magnetic stripe 918 and checked forthe presence of any a.c. or d.c bias. If any such bias is detected, thusindicating the probability of tampering with the ICCC, the card can beejected or captured.

If no bias is detected, deciphering proceeds by passing the randomlymutated waveform (K1a') to A/D converter 920, which produces anequivalent 256-bit digital number (K1d'). This number is then combinedwith the PIN (K2) by random sequence generator array 922 to produce thefirst pseudo-random string R1, which is used by the decipheringalgorithm. If the pseudo-random string produced during this decipheringstage is not identical to the one produced during enciphering (if, forexample, an incorrect PIN had been entered), then the data track headerwill not decipher properly and the card would be ejected by thetransaction register.

It is the random mutation of the waveform written to the security track102 of magnetic stripe 918 that provides the advantageous security ofthe present invention, not previously found in off-line systems.Previously known off-line systems were susceptible to "buffering,"whereby the information on a card's magnetic stripe could be recorded ona media outside of the card, to be re-recorded onto the card's magneticstripe at a later time. An example of buffering is the following.

Suppose a card had a balance of $100 as indicated on its magneticstripe, and this information was copied onto media outside of the card.The card could then be used to make purchases, with the balancesuccessively lowered. But then the balance could be restored to $100 byre-recording the "buffered" information onto the card from the outsidemedia. By contrast, in the present invention, because the randomlymutated signal is recorded onto the card with no bias, the presence ofany bias will cause the card to be rejected or captured once such biasis detected. Since some kind of bias is required to record a specificsignal on outside magnetic media, it is extraordinarily difficult toduplicate or buffer information on a card using the method of thisinvention.

The following is an example of the type of algorithm that can be usedfor enciphering data. If a plain text input of, say, 100 BCD digits isused, then the first pseudo-random string R1 would also contain 100digits. Each digit of the plaintext input string is substituted with thefour least significant bits of the sum of the BCD digit and itscorresponding pseudo-random string R1 digit, thus producing a modifiedinput string. The first pseudo-random string R1 is then processed by anon-recurrent limit function, which disposes of digits outside of apresent range of, in this example, 1100, and is transformed into asecond pseudo-random string R2. The order of the digits of the modifiedinput string is then scrambled by using the sequence of the secondpseudo-random string R2 as a key to the new position of each BCD digit.Thus the output is ciphertext of 100 BCD digits. The correspondingdeciphering algorithm would proceed inversely.

DETAILED DESCRIPTION OF OPERATION

The system is constructed as a microprocessor unit (MPU)-based systemusing an interrupt architecture.

FIG. 7 is a schematic diagram of the interrupt system of the presentinvention. A switch 300 is associated with slot 126 for detecting when acard has been inserted into the slot. A second switch 302 is associatedwith PIN keyboard 74 for indicating PIN keyboard activity. A thirdswitch 304 associated with main keyboard 80 for indicating main keyboardactivity. In addition, 24-hour timer 46 (also shown in FIG. 1) providesa logic level high at predetermined times for activating the clockinterrupt routine shown in FIG. 15. The signals from switches 300, 302,304 and timer 46 are coupled to a priority selecting network 308 formedas part of a PROM associated with the microprocessor. The priorityselecting network selects which of a plurality of subroutines will beexecuted. This selection is coupled to the interrupt (IRQ) of themicroprocessor. A separate switch (transaction register clear keyswitch) 310, associated with CLR key 112 on the transaction register,couples power to the non-maskable interrupt (NMI) of the microprocessor.

FIGS. 8-15 are flow diagrams illustrating in general the steps carriedout by the system of the present invention in carrying out transactions.As shown in FIG. 8, when the power is turned on, the system waits for akey to be hit or a card to be inserted in a slot. Normally, when poweris initially turned on at the beginning of a business day, the clear keyis hit to clear all of the registers. If any card is present, it isejected, and the timer is then checked.

Block 500 represents a non-maskable interrupt (NMI) triggered bytransaction register clear key switch 310 shown in FIG. 7. In essence,the NMI acts to clear all functions. It is actuated by the clear key CLR112 on keyboard 80. Block 502 refers to a power on/reset. The systemprovides a triggered reset signal to microprocessor 12 each time poweris initially applied. After a reset, block 504 clears all memoryregisters including an A-register and B-register. At block 506 it isdetermined whether or not a card has been inserted into slot 126. If acard is present within the slot 126, the card is ejected, as noted byblock 508. If no card is present in slot 126 or after a card has beenejected from the slot, it is determined whether 24-hour timer 46 isproperly set. If there has been a power failure, then timer 46 resets.If timer 46 is not properly set, a beep alarm sounds as indicated byblock 512, and an operator must reset the time, as indicated by block514.

As will be shown in greater detail in FIG. 15, the system contemplatesautomatic transmission of information at time intervals, for exampleduring the night, to a central computer. Timer 46 is checked to makesure that it is functioning properly and thus that transmissions aretaking place normally.

The system next determines whether there was any difficulty intransmitting data or if data had been properly transmitted during theprevious night to the main computer. If there has been some difficulty,the operator will hear a beeping alarm and see a visual displayindicating the nature of the trouble, as indicated by block 518. Thedisplay will call for a specific service along with the beep alarm. Onceall these matters have been attended to, the system goes into an idlestate and waits for an interrupt as indicated by block 520. As stated,the overall system architecture is constructed as an interrupt system.The processor interrupts or executes each action independent of otheractions. The processor is not looking to see what is has to do. Rather,it waits for an operator to tell it what to do.

If a card is inserted into a slot, the card in slot interrupt routinebegins as shown in FIG. 9. After the card is accepted, threesimultaneous tests are carried out. First, a check is made to make surethat the card is of a type that the system will accept, that is, it isnot a card of some other system. Second, the security track and datatrack of the magnetic strip 18 are read. Once the PIN has been entered,the data track header is deciphered. Third, parity checking occurs asthe security and data tracks are read.

FIG. 9 is a flow chart of the card in slot interrupt. When a card isinserted into slot 26, switch 300 generates a card in slot interrupt asshown by block 522. This interrupt eventually provides a signal on theIRQ interrupt of the microprocessor. When the card has been insertedinto slot 126, a motor is activated that pulls the card in. The securitytrack is then read as shown in block 524, and then the data track isread and the data transferred to buffer memory as shown in blocks 526and 530. (As the security and data tracks are being read, there is areading and testing for parity. In the event of an error, there is are-test for the presence of an appropriate ICCC card at block 532.) Thesecurity subroutine used in block 526 and in blocks 600 and 622 is setforth in Appendix A.

At the same time, as shown in block 528, there is a test to verifywhether the card inserted is a proper ICCC card. Should an inappropriatecard be inserted into slot 126, the card will be immediately rejected.In the event that block 532 determined an invalid ICCC card, block 534stops all functions. An audible alarm sounds and control is returnedfrom the interrupt as shown in block 536. This places the system into anidle state.

When a valid cash card has been detected, then, as shown in block 526,the security track and data track are read from the card. At block 530,the data read from a card is transferred to a buffer memory. An errordetection loop, not shown, repeats the "read" until it is successful. Inblock 538 it is determined whether a PIN has been entered. If so, thenthe data track header read from the card is decoded as shown in block542. However, in the event no PIN number has been entered, systemcontrol returns from the interrupt into an idle mode. When that numberis entered, the system goes through the routine shown in FIG. 10.

After the PIN is entered, the system checks to see whether the card hasbeen read, that is, the system has gone through the steps of FIG. 9. Ifthat has taken place, then the system decodes the data track header, at542, to see whether the entered PIN is correct. If not, a beep alarm issounded. The system further counts the number of successive errors andthe transaction is stopped in the event that the number of errorsindicates that an attempt is being made to make a match by entry ofsuccessive digits without knowledge of the real PIN.

FIG. 10 is a flow chart of the PIN keyboard interrupt routine. The PINkeyboard interrupt triggered by switch 302 (shown in FIG. 7) is shown atblock 544. This interrupt is triggered whenever any of the buttons onthe PIN keyboard is pressed. The Motorola 6800 Microprocessor, selectedin the preferred embodiment, has an inverted IRQ. Therefore, it is shownas such in the drawings. As the customer begins to enter a PIN via PINkeyboard 74, this system, as shown in block 546, begins to respond andaccepts the data being input by the customer. As data is being entered,block 550 tests for various errors or clears an entry. The PIN keyboard74 has a clearing key that is used to wipe out previously enterednumbers. If there has been an error or if the clear button has beenpressed, control goes to block 548. Block 548 prevents anyone fromentering the PIN over and over again. It will stop system interactionwith the customer after two minutes lapse in order to discouragerepetitive inserts of erroneous PIN's. At block 552, the systemdetermines whether a card has been read. If not, control returns viablock 56 to an idle condition. If so, the data track header is decodedat block 542. Block 543 determines whether the decode was successful. Ifthe decode succeeded, control goes to a decode data block 554. If thedecode failed, control goes back to block 546 to allow another PIN to beinput.

When one of the main keyboard keys is operated, as shown in FIG. 11, thesystem first checks to see whether the transaction is a card dependenttransaction or not. The main keyboard can be used for arithmetic andother calculations like a calculator. If the transaction is not carddependent, then the command is executed and the result is displayed andprinted. If the command is card dependent, then a check is made to seeif the card has been coded correctly, and whether the PIN number hasbeen matched. If both of these checks are positive then the desiredcommand is executed.

Referring now to the specific blocks of FIG. 11, the main keyboard 80interrupt triggered by switch 304 (shown in FIG. 7) is shown at block558. This interrupt occurs when the operator presses any of the mainkeyboard buttons. At block 60, data entered via the main keyboard isaccepted. From the data entered via keyboard 80, a command line is builtat block 562. This function is similar to that of an adding machineexecuting, for example, the equation 2+2=4. In essence, it totals a saleor other transaction like a conventional cash register. The commandbuilt in block 562 is checked for completeness at block 564. If thecommand is complete, the user activates the appropriate button andcontrols flow to block 566. If the command is not complete, the controlreturns to block 560 and further input is accepted. At block 566, thesystem determines whether the command, determined complete at block 564,has been cleared. If it has been cleared, control goes to block 568where the system returns from the interrupt to an idle state.

At block 570, the system determines whether the command constructed atblock 562 and confirmed via blocks 564 and 566 is going to affect thecard or not affect the card. Some commands, for example a balanceinquiry, would not affect the card. As another example, a user might bemerely using the transaction register as a calculator for adding orsubtracting; such use also would not affect the card. In such cases,command would go to block 590 and then to block 588 where the computerresults would be displayed. Control would then return from interrupt at586 to an idle condition. However, if the command was card dependent,control would flow to block 574, which interrupts the command anddecides what is required to get the command executed. Block 578determines whether the card information has been decoded. If the cardinformation has been decoded, control flows to block 576 which causesthe system to request data. The command would go back to an idle statevia blocks 572 and 574. If at block 578 the card data had been decoded,an error test would take place at block 580. An error would cause anaudible alarm to sound and a reset function, shown in block 584. If noerror were determined at block 580, then the card data would beprocessed at block 582.

FIG. 12 illustrates the flow diagram for a command entered into thetransaction side of the keyboard. First, the system checks to seewhether the transaction is a permitted one, under either the ICCC systemor another. While only the ICCC card will fit into the TR, and in factthe TR will reject any foreign card entered, coding for other cardsystems may be placed on the ICCC card and this coding can be recognizedby the TR. If the transaction is not a permitted one, then a check ismade to see whether the presented card is an allowed card of anothersystem. If the transaction is permitted then the balance or credit ofthe card is checked to see whether the transaction is allowed. If thetransaction is proper, then new amounts are calculated, stored andre-encoded on the card. The transaction is then stored on the magneticdisk for eventual transmission to the central computer.

Block 584 begins the routine for processing card commands. Block 586determines whether the transaction selected is permitted for the cardinserted into slot 126. By reading the card, the system determineswhether that transaction is permitted or not. For example, an attemptedpurchase using a card with a negative balance and no creditauthorization would not be a permitted transaction. In the event that atransaction is not permitted, block 608 causes an appropriate display tobe printed and an audible alarm to sound. The card is then rejected andcontrol returns to an idle mode via block 610.

Assuming the transaction is permitted for the particular card insertedinto slot 126, control flows from block 586 to block 592. There, it isdetermined whether the card has a sufficient balance for thetransaction. In essence, the system looks at the purchase desired (asentered via Main Keyboard 80), examines the data on the card anddetermines whether a sufficient balance exists. If a sufficient balanceexists, control flows to block 594 where a new card amount iscalculated, stored and buffered. Then, control flows to block 596 sothat the current transaction can be executed. The block 598 representsan enciphering algorithm which is maintained secret for securityreasons. Block 598 represents any enciphering algorithm collected, asshown in the art. Once the data has been enciphered, the new data isstored on the card at block 600. In the event no error is determined atblock 600, a record of the transaction is stored in disk storage (incircuit 60) at block 609 and return to an idle condition occurs viablock 606.

Simultaneous to determining at block 586 that the transaction ispermitted, block 588 checks to determine whether the transaction ispermitted for that card. It also checks the command that has beenconstructed. If a non-ICCC transaction has been determined, the datamust be handled by a special function program indicated by block 590.For example, if users of a particular credit card have been incorporatedinto the ICCC system, such as Visa, Master Card, etc., the particulardata from those cards would be read and handled via a specialsub-routine.

In the event the card does not have a sufficient balance for thetransaction, control flows to block 614, which determines whether thereis appropriate credit to handle the transaction. If there isinsufficient credit, the transaction is rejected at block 612 and thesystem returns to an idle condition at block 610. However, in the eventthat at block 614 it is determined that there is adequate credit, block616 calculates the appropriate amounts and stores them in buffer memory.Control then flows to block 618 where the credit transaction isexecuted. Block 620 represents an enciphering algorithm which is, ofcourse, maintained secret for card security. This block represents anysuch algorithm known in the art. The enciphered new data is then storedon the card at block 622. An error check occurs at block 624. In theevent of no error, the transaction is stored on disk at block 628 andthe system returns to idle at block 630.

FIG. 13 is a flow chart of a special function interrupt. Specialfunction block 632 represents the continuation of block 590 shown inFIG. 12. Special functions do not modify data on the major credit cardbut is re-encoded. This system determines, at block 634, whether thefunction requested is allowed, i.e. whether the card is coded to permitthe request by a customer of a non-ICCC transaction. For example, hasthe card inserted been allowed for a particular major credit card ornot. Possible functions include billing a transaction to a major creditcard, paying a major credit card bill with ICCC funds, etc. If thefunction is not allowed, control goes to block 636 which rejects thetransaction and then the system goes to idle via block 638. However, ifthe function is allowed at block 634, control goes to block 640 whereall computations are performed. For example, the computation for atransaction involving a major credit card encoded on ICCC would takeplace. In addition, computations could be performed for the payment ofmajor credit card bills with ICCC funds, etc. From computation block640, the results of the computation would be printed and displayed atblock 642. At block 646, the record would be stored in a disk file andthe system would return to an idle condition via block 648. After theinformation is stored, it would be among the data automaticallytransferred to the ICCC host computer via modem 56, and the informationwould ultimately be relayed to the designated major credit card company.

FIG. 14 is a flow chart of the routine for decoding card data. Block 650represents the initial step for deciphering card data. Block 650 is inessence the continuation of block 542 shown in FIG. 9. This Figureillustrates the routine use to decipher data on a card. Data from thecard is deciphered at block 652. This block represents a decipheringalgorithm by which data from the card's security track and the enteredPIN are used as keys to decipher data which was previously stored on thecard. Of course, this algorithm would be maintained secret by the user.Block 652 represents any such deciphering algorithm ultimately selectedby the user and is therefore not shown in detail. Control would neverhave reached block 650 unless a card where inserted into slot 126 and aPIN number keyed in via PIN keyboard 74. By the time control reachesblock 652, it is therefore assumed that data has been read and thatthere have been no errors in either entry of the PIN or on the card atitself.

At block 654 it is determined whether the card has been successfullydeciphered. If the decipher has been successful, control goes to block660 where card data is compared with data maintained in a bad card filein the transaction register memory. If this comparison indicates thatthe card has not been invalidated for any reason, control goes to block662 which stores the data in a buffer. Then, control goes to block 664which sets flags indicating that the card is good. Then, control flowsto block 666 and the system returns to the idle condition.

However, if comparison at block 660 indicates that the card is bad,control flows to block 668 which causes the card to be captured orrejected. Control then flows to block 670 which resets the transactionand sets off an audible alarm and causes an error message to bedisplayed or printed. The system then returns to an idle state via block672.

Using the deciphering routine shown in this Figure, the only thing thatwould cause a card to not successfully decipher is if it had beentampered with, if a PIN entered was not correct or if the card weredefective, erased, or severely damaged. If it should be merelyweather-beaten, the card would be rejected and not captured.

FIG. 15 illustrates the clock interrupt routine. As discussed brieflyabove, periodically information is transmitted to the main computer inthe member bank under the control of timer 46. When the timer indicatesthat transmission should occur, the computer is contacted and storedrecords are transferred. The system then receives from the main computerand stores an up-dated list of valid cards.

This routine handles the transmission of data to the member bank's maincomputer from a transaction register. Block 674 represents the interruptfrom clock 46. Clock 46 provides the ability to set the transmissiontime to a normally down-time such as two o'clock in the morning fortransmission to the bank. Each transaction register will transmit at adifferent time to the bank. That transmission is actuated by the timerinterrupt, via timer 306 and priority selecting network 308 shown inFIG. 7. At block 676, the main computer is called via a telephonedial-up link.

Block 678 determines whether the transaction register has successfullycalled the computer. If not, the transaction register redials via thetelephone link until it is connected with the main computer. If it doesconnect, control flows to block 680 which causes an identificationexchange between the transaction register and the computer. After IDinformation has been exchanged with the bank computer through a stringof codes, control flows to block 682 whereat the transaction registertransmits a copy of all transactions that have taken place and are onfile. At block 684, the transaction register receives from the bankcomputer data concerning invalid cards and other information and storesthis data for later use in dealing with customer transactions. At block686 it is determined whether any errors were noted. These would includeparity errors, static on line, etc. If errors were noted, controlreturns to block 680 and the information exchanges are repeated.However, if no error is determined at block 686 it is assumed that datahas been successfully exchanged and appropriate flags are set. Thesystem then returns to an idle state via block 690.

Fraud

There are two main possible sources of fraud which the system must guardagainst. The first involves fraud by the bearer of the card, and thesecond involves fraud by the retail outlets subscribing to the system.If a card is lost, the PIN, known only to the owner of the card, insuresthat unauthorized persons cannot use the card and eliminates signatureand identification requirements. Without the correct PIN the card isuseless, and nothing in the cash card system can be compromised so as todivulge it. The PIN is neither contained on the card's magnetic stripnor stored in any of the system's computers; it is known only by thecard holder. As described previously, the PIN is able to identify thecard holder because it is used as an enciphering key, and thus must beentered correctly upon each use of the card in order to correctlydecipher the data recorded on the card during its previous use. Theenciphering of the information on the card also prevents the alterationof the contents of the card. However, should an identified card becounterfeited and used, this type of fraud may not be detected by thetransaction register but would eventually show up as an incorrectbalance at the lead bank or ICCC computer processing center. Theidentity of the card holder would then be determined and he could betraced through the account at his bank. Every card holder must have anaccount at the lead bank, and proper identification must be providedwhen the account is opened along with completing an application.

Fraud by the retail outlet could be perpetrated by tampering with thedisk to reflect transactions which have not taken place. This type offraud is prevented by the use of a scrambled encoding similar to thatused in the cards. The cashier could not enter extra sales to acustomer's card since the PIN must be entered before every transaction.The electronic chip of the transaction register is encapsulated toprevent anyone from determining or decoding the algorithm by studyingthe program stored in memory. Any attempt to access the microprocessorbus will cause the power to the battery-backed RAM units 22, 24, 26, 28,and 30 to be cut off, thus erasing all sensitive software.

As briefly discussed above, the cash card system includes many highlyadvantageous security measures. The strongest of these security measuresis the card itself. The "hash" encoding of information contained on themagnetic stripe cannot be duplicated, skimmed (transferring magneticallyencoded data directly from a genuine card to any number of stripedcards) or buffered (buffering creates exhausted data: informationencoded on a genuine card is transferred to a storage medium and thentransferred back at a later date) without using a.c. or d.c. bias, whichwould be detected by a transaction register.

The enciphering and deciphering algorithms are contained within a chiplocated in each transaction register and cannot be removed without firstbeing destroyed. The probability of deciphering the data on the cardwithout the algorithm is very small. Furthermore, the enciphering anddeciphering algorithms can be changed periodically to further insure thesecurity of the system. The enciphering algorithm is represented byblocks 598 and 620 in FIG. 12 and the deciphering algorithm isrepresented by block 652 in FIG. 14.

Should a card be accidentally erased or otherwise damaged or worn to theextent that it cannot be read electronically, a member bank can replaceit with a new card through the use of the bank's transaction registerand by drawing on the records of the central computer for alltransactions that have been previously placed on the card.

The security control for the cash card system is the central cash cardcomputer which gathers security information from all sources within thesystem and transfers that data to the disk memory of each transactionregister. This security information helps to determine which cash cardwill be accepted, rejected or captured. Cards are rejected if theyappear in the security file, if they are damaged or worn so as to beunreadable, or if they are used with an incorrect PIN.

Should a customer lose his cash card, the finder cannot use it unless healso knows the customer's PIN. Lost or stolen cash cards can be reportedto the central cash card computer through either the member bank, aretail outlet, or the cash card system provided. Cash cards that havebeen reported as lost or stolen will be rejected by any transactionregister or modular register even if the correct PIN is used.

Transaction registers that have been stolen cannot be operated unless aparticular code number is known and activated. This code number must beactivated before the transaction register can be used. Therefore, stolentransaction registers cannot be used by a thief to update his ICC cardcash balance. Should the code of a transaction register become known andused by unauthorized persons, the cash cards used in that transactionregister after the date it was stolen will be reported to the disks ofall other transaction registers via the system's computers. These cardswill then be captured when used. Their capture provides evidence thatcan be used in later prosecuting the thief of the transaction register.

The credit key, used to activate the deposits to the cash card, alsorequires a code number for use. The manager of a retail outlet can bemade responsible for all credits placed on the cash card by his outlettransaction register. If the manager (or anyone else) does raise hiscash card without an offsetting debit, the computer will detect thebalances of the cash cards that have been fraudulently credited do notcorrespond to their respective account balances. These cards will becaptured when any further attempt is made to use them within the cashcard system.

Credit limits that are assigned to each transaction register can bereduced or raised by the central computer. Those transaction registershaving a track record of unorthodox deposits will have their creditlimits reduced or eliminated by the provider of cash card services.

The cash card system also provides a special service to retail outletsby protecting them from bad checks. Should a check deposited through theICCC system be returned due to insufficient funds, the retail outlet cancontact the ICCC central computer. The computer places the customer'scash card ID in its security file. This information is transmitted tothe memory disk of every transaction register and modular transactionregister. Until the customer reconciles the bad check, the customer'ssubsequent cash card transactions are all rejected.

Uses of the System

The uses of the cash card system of this invention are virtuallyunlimited due to the system's adaptability; several modifications may bemade without departing from the spirit of this invention. For example,the transaction register shown in FIG. 1 can be constructed as a modulartransaction register suitable for use with gasoline pumps, vendingmachines, pay telephones, ticket dispensers, taxicabs, etc. The modulartransaction register is a transaction register that can be customizedfor special applications. The heart of the modular transaction registeris a box containing all of the electronic components of the transactionregister shown in FIG. 1 including the telephone modem. In the modulartransaction register the box has been separated from its plug-inaccompaniments such as the card reader-writer, PIN keyboard, mainkeyboard printer and display. These accompaniments can either be pluggedin directly, connected at some remote point or eliminated all together.

The characteristic common to all variety of modular transactionregisters is that the ICCC customer, instead of making a transactionwith a cashier, makes the transactions with the machine without usingfunds that are usually necessary for the type of transactions whichoccur in motion picture houses, taxi cabs, gasoline stations, etc.

For example the main keyboard connectors of the modular transactionregister may be connected to the total sale display of a gasoline pump.The cash card would be automatically debited for the cost of thegasoline. In such a case the cash card could also be used to turn thegasoline pump on and off. This raises the possibility of gasoline pumpsappearing in every corner, of, say, 100 pumps all under the supervisionof a single attendant, thus cutting costs to the oil companies.

Further, a taxi driver using a modular transaction register would turnin his memory disk to the taxi office at the end of the shift, and thetaxi office in turn would transmit the contents of the disk to the ICCCcomputer through their transaction register. In addition, any kind ofvending machine could be equipped with the modular transaction register.For example, airline tickets could be sold through vending machines orpay telephones could accept card transactions, which would be especiallyhelpful at airports where travelers often make long distance calls.There are many other uses, such as theaters, busses, etc., which wouldreduce the threat of robbery. The carrier simply turns in disk to thedispatch office after each shift which transfer totals, electronically,to its member bank.

Further, using a "transaction terminal" designed to operate only whenconnected to a transaction register through a telephone line, it wouldbe possible for card holders to purchase goods or services from theirhomes or offices.

In FIG. 5, there is shown a transaction terminal that is remote from thetransaction register to which it is connected via the card holder's hometelephone. It is not designed to take cash, does not have a credit ordebit key and does not have a memory disk. It must be used inconjunction with a telephone line and a transaction register.

An a.c. voltage from an outlet 148 of a line current is supplied to thepower supply 152, where it is converted into the voltage required forthe operation of the cash card terminal of the system. A clock 150 isprovided in the system for generating pulses which activate themicroprocessor unit 156, for processing all data fed into the system. ARandom Access Memory (RAM) 154 is employed in the system for temporarilystoring the Personal Identification Number (PIN), totals, amounts, etc.,of each transaction to be later transferred to a disk for permanentrecording at a data processing center, as explained previously above.

An Asynchronous Communications Interface Adapter (ACIA) 158 is themodule which the microprocessor unit 156 uses to serialize and shiftdata in and out of the card terminal to a disk of a transaction register(not shown), via the Modem 162 connected to a telephone line outlet 164.A card Reader-Writer 166 reads and records information on the cardaccording to instructions received from the microprocessor unit 156. APeripheral Interface Adapter (PIA) 160 allows the microprocessor unit156 to control functions outside the microprocessor, i.e., the Display168 and the PIN Keyboard 170. A Programmable Read Only Memory (PROM)Module 172 is the memory unit which contains the program that is used bythe microprocessor 156 to drive the system. The operation of the PINkeyboard 170 is identical to that of the PIN keyboard 74, as shown inFIG. 1, and previously explained above.

Debit and Credit Processing

FIGS. 16-22 represent how the cash card system processes its debits andcredits. The following is a summary index of various referencecharacters used in these figures.

I. ICCC Card Transactions

(1) Lowers ICCC cash (credit) balance by amount of purchase or cashwithdrawn.

(2) Credits ro on day of deposit receiving immediate credit.

(3) Raises ICCC cash (credit) balance by amount of credit.

(4) Debits ro on day of deposit.

II. ICCC CREDIT CARD TRANSACTIONS

(5) lowers ICCC cash (credit) balance until it reaches zero; thenincreases debit balance until ceiling charge limit is reached. Accountswith debit balances are billed out monthly by lead band.

(6) Credit ro on day of deposit receiving immediate credit.

(7) Decreases debit balance until it reaches zero; then raises ICCC cash(credit) balance.

(8) Debits ro on day of deposit.

III. MAJOR CREDIT CARD (MCC-ICCC) AND OTHER CREDIT CARD TRANSACTIONS

(9) code#indicates which credit card transaction is to be recorded on.Does not effect ICCC balance.

(10) Credit to joint account is reduced by percent charged by MCC.

(11) Reduced ICCC cash balance by amount of payment.

FIG. 16 is an overview of the entire cash card system (ICCC). A leadbank establishes the following accounts:

1. A joint account between lead and member bank (MB-LB-ICCC).

2. A customer account (presumably an interest bearing account) for eachindividual belonging to the ICCC system (CUST-ICCC).

3. A provider system account which receives a fee per transactionrelated to the amount of the transaction per ICCC customer account(presumably an interest bearing account) for the provider of ICCC systemservice.

4. Other credit card accounts--a separate joint account for each majorcredit card company belonging to the ICCC system (MCC-ICCC).

In any city, there would be a member bank affiliated with the lead bank.Each member bank would have the following accounts:

1. A retail account which is a separate account for each retail outlet(RO-ICCC).

2. A suspense account used as a clearing account with the lead bank. Itis assumed that a transaction register is located in each retail outletwhich can transfer data via telephone Modem (TM) to a central computer.

FIG. 17, is a flow chart indicating how cash debit transaction, i.e.,those pertaining to purchases and cash withdrawals are handled by thesystem. Pressing the debit key on a transaction register lowers the ICCCcash (or credit) balance by the amount of the purchase or cashwithdrawn. The retail outlet (RO) is credited on the day of deposit(DOD).

In FIG. 18, cash transactions involving a credit, such as returned itemsand deposits, are illustrated. Although the Figures areself-explanatory, the following should be noted. After the credit key ofa transaction register has been pressed, the ICCC cash or credit balanceis raised by the amount of the credit or deposit. For purchases or cashwithdrawals, the ICCC cash balance is immediately lowered. Retailoutlets are credited on the day of deposit, thereby receiving immediatecredit.

FIG. 19 illustrates the transaction flow for ICCC credit card debittransactions, such as purchases and cash withdrawals and FIG. 20illustrates the flow of an ICCC credit card transaction for a creditsuch as a return item or a deposit. For ICCC credit card transactions,the ICCC cash balance on the customer's card is lowered until it reacheszero. Then, the system automatically increases the debit balance until apredetermined ceiling limit is reached. ICCC balances are paid furtherby a customer's deposit thereby eliminating further interest chargedfrom the date of deposit. A retail outlet can be credited on the day ofdeposit thereby receiving an immediate credit. The system decreases theretail outlet's debit balance or increases a cash balance. Similarly, aretail outlet can be debited on the same day of a deposit.

FIGS. 21 and 22 show the flow of a transaction using a major credit cardsubscriber to the ICCC system. Specifically, FIG. 21 shows the flow of adebit transaction and FIG. 22 shows the flow of a credit transaction.Again, the Figures are self-explanatory. A key code on the transactionregister is pressed to designate the appropriate credit card used. Thisdoes not affect the ICCC balance. A credit to the "joint account" atLead Bank is reduced by whatever fee is charged by the major creditcard. The system automatically reduces the ICCC "Joint Account" balancesat Lead Bank by the amount of any payment.

On purchases, a customer may tell a cashier that he wants to use aparticular major credit card and not make a charge against his cash cardbalance. The cashier presses a code key after the customer inserts hiscash card into slot 126. The system displays on the readout that thecustomer does in fact belong to the major credit card system which thecustomer wishes to charge.

The cashier can follow the particular rules appropriate to that creditcard such as calling a credit card bureau if the purchase is over apredetermined dollar amount. The cashier no longer has to use amulti-carbon copy or a printer. The purchase is made and transmitted tothe retail outlet's bank electronically. The retail outlet's bank inturn transmits the total of the transaction to the lead bank. The leadbank has the particular major credit card-ICCC account. When thetransaction reaches the lead bank, it goes to the "joint account" whichis a non-interest bearing float that belongs to the lead bank and allmember banks.

This account is debited by the amount of the purchase and the majorcredit card account (MCC-ICCC) account is credit. Then the MCC-ICCCaccount is debited, less any fee to the major credit card company andthe joint account is credited. Then, in turn, the joint account isdebited and the suspense account at the member bank (retail outlet bank)is credited. The suspense account is debited and the retail outletaccount is credited.

This arrangement considerably simplifies the physical transactionincluding the mailing of checks after many days or processingmulti-carbon copies. It reduces the major credit card company'spersonnel time load cost and expedites the delivery of credit to theretail outlet which encourages participation in the major credit cardprogram. Thus, the system provides a competitive edge. In addition, themajor credit card receives payment faster from the customer since it canpay electronically instead of using a logging payment method such asmailing a check and waiting for the check to clear. The only "float" isthe joint account at the lead bank which comprises sufficient funds forprojected purchases by cash card holders to credit the various retailoutlet accounts. Notification of these credits and debits is reflectedin the monthly statements from the banks for both customer and retailoutlet, eliminating the time-lag cost of paper and mailing thetransactions, with the exception of a monthly bill from the major creditcard company (MCC). However, such mailing is far less costly than themailing of checks for payment of credit.

The following summarizes FIGS. 16-22 and various advantages of the cashcard system according to the present invention. The cash card customercan not only put a cash or check deposit to his card, but can also havea negative balance up to a ceiling limit just like a major credit card.The customer can pay off this negative balance by a deposit which bringsthe card total and his account into the "plus" side of his card. Oncethe cash card customer enters the negative register of his card, fromthat date, he can be charged interest. The customer can keep hisnegative balance as long as he wishes, instead of the predetermined timeperiod such as a 90-day limit, required by a major credit card, as longas he does not mind paying the interest.

The customer never gets a bill for purchases because such transactionsare immediately deducted from his card. The amount deducted from thecash balance on the card would include the purchase price, any tax, acash card transaction fee, and any interest due. The new balance in thecustomer's account would automatically be encoded onto the card at thetime of the next transaction.

The customer can find out at any time what he owes or his cash balanceby asking the cashier to use the "query key" on a transaction registerto display this balance. The customer can deposit enough funds to keephimself within any predetermined financial limits that he may establish.The customer gets immediate feedback that he is paying a particulardollar amount because his available cash balance is displayed to him ateach transaction. In essence, a customer pays his bills "as he goes" bymaking deposits to his cash card.

By processing transactions in the manner shown in FIGS. 17-22, thehandling of banking and retail outlet transactions is changed in manyways from the presently used system. The use of checks can be eliminatedsince a cash card customer can pay a bill directly from his cash cardaccount, electronically. Deposit slips are eliminated. A customer candeposit cash or a check to his card just by handing it to a cashier atany retail outlet. The deposit is encoded via a transaction registerdirectly onto the card and no deposit slip is required. House chargeaccounts can be replaced by the cash card allowing the customer to payfor products and services directly without incurring any interestcharge, if the customer has a cash balance.

The cash card system in effect turns retail outlets into branch banks.This eliminates expensive construction costs and personnel for operatinga plurality of branch banks that will no longer be necessary. Retailoutlets and customers can bank electronically from any transactionregister and its remote unit, the transaction terminal. These terminalscan be located in a customer's home and office.

Invoices or bills are eliminated because purchases are paid for at thetime of a transaction by debiting a cash card through the transactionregister or through a transaction terminal Even retail outlets can orderand pay for goods from a wholesaler who has a transaction register.Similarly, a wholesaler can purchase and pay for goods from amanufacturer having a transaction register.

Cash receivables are eliminated because purchases are paid for at thetime of the order. The amount of the transaction is deductedelectronically from the cash card by a transaction register or terminal.Mailing delays are eliminated since invoices and bills are eliminatedalong with the need for checks in payment of those bills. In addition,both customers and retail outlets can eliminate lengthy trips to banks.In essence, the system allows for much of the time load cost associatedwith bank personnel to be transferred to retail outlets where storecashiers take the place of tellers at no cost to the bank.

Even for small operatives such as cabs, movies, buses, telephones,vending machines, etc., a modular transaction register can be installedso that a cash card could be utilized.

The present invention has been described in detail above by means of aspecific example and in a specific embodiment for purposes ofillustration only and is not intended to be limited by this descriptionor otherwise, except as defined in the appended claims.

We claim:
 1. An electronic fund transfer system for handling a cardbearer's fund transfer transaction in a trade sale comprising:a cashcard having machine sensitive information recorded thereon, includinginformation representing an available cash balance in an account of thebearer, and a randomly mutated first enciphering key; and a transactionregister machine at the location of trade sale including means forreceiving said cash card from said bearer and recording information toand reading information from said cash card, randomly generating saidfirst enciphering key and recording said first enciphering key on saidcash card with a random mutation by recording with no a.c. or d.c. biasand no saturation, receiving personal identification number (PIN) datafrom said bearer independent of said cash card, said PIN dataconstituting a second enciphering key, enciphering and deciphering datato be recorded on and read from said cash card using said first andsecond enciphering keys, verifying the validity of said cash card is anauthorized card bearer by determining whether said received PIN datasuccessfully deciphers information previously enciphered and recordedonto the card, modifying said available cash balance and otherinformation recorded on said cash card in accordance with saidtransaction, and magnetically recording and storing information of thetrade sale cash transaction for later processing.
 2. A system accordingto claim 1, wherein said data processing center includes an automaticmagnetic tape reader for reading the information on said tape.
 3. Asystem according to claim 2, wherein said data processing centerincludes a disk file for maintaining permanent records of personalidentification numbers of lost, stolen and voided cash cards.
 4. Asystem according to claim 1, further comprising modem means, connectedto said transaction register machine, for transmitting information ofthe cash card transactions by telephone to the data processing centerfor updating the cash balance in the respective accounts accordingly. 5.A system according to claim 1, wherein said magnetic recording meanscomprises a disk for storing thereon all cash card transactions at saidtransaction register machine.
 6. A system according to claim 4, furthercomprising a timer for presetting a certain time for the transmitting ofinformation of each transaction from said magnetic recording means tothe data processing center via a telephone line.
 7. A system accordingto claim 1, wherein said enciphering means includes:means for combiningsaid first and second enciphering keys in a random sequence generatorarray to produce a first pseudo-random string; means for modifying datato be enciphered using said first pseudo-random string; means fortransforming said first pseudo-random string into a second pseudo-randomstring; and means for scrambling components of the data to be encipheredusing said second pseudo-random string as a key to the new position ofeach of said components.
 8. A system according to claim 7, wherein saidtransaction register machine includes means for programming said machineto decipher said enciphered coded information stored on said cash card.9. A system according to claim 1, wherein said means for receiving PINdata comprises a keyboard operable by the card bearer.
 10. A systemaccording to claim 9, wherein said transaction register machine includesa main keyboard operable by the seller and responsive to the entry ofthe correct identification number for selectively entering the cashamounts of each transaction in said register machine which in turnrecords the new cash balance on said cash card and simultaneouslyrecords said cash transaction on said magnetic recording means fordelivery to a data processing center for transferring the informationthereon to the respective cash card accounts.
 11. A system according toclaim 9, wherein said cash card bearer operable keyboard includes a slotfor inserting said cash card thereby engaging said cash card with saidtransaction register.
 12. A system according to claim 10, wherein saidseller operable main keyboard includes a query key for displaying thecash balance on said cash card, an enter key for entering the amount ofthe sale into said register machine, a sale key for displaying the totalamount of the transaction, a credit key and a debit key, a code key andarithmetic functions keys for selecting the operation of said registermachine in completing the sale transaction.
 13. A system according toclaim 12, wherein said seller operable main keyboard has display windowsfor displaying by lighting a personal identification number error, avoid card, and other information for security and for operation of saidtransaction register machine.
 14. An electronic fund transfer system forcarrying out cash transfer transactions in business and trade saledealings comprising:a plastic card having a magnetic stripe containinginformation representing an available cash balance and other informationincluding a first enciphering key recorded with no a.c. or d.c. bias andno saturation; a transaction cash register machine for registerrecording an amount of money received and exhibiting an amount of eachsale, said transaction cash register machine including means for readingsaid magnetic stripe, means for verifying the validity of said card,means for verifying that a user of said card is an authorized cardbearer, means for modifying said cash balance and other informationrecorded on said magnetic stripe, and means for magnetically recordingand storing information of each transaction for further processing at adata processing center.
 15. A system of claim 12, further comprising adata processing center including a computer unit, an automatic cassettetape or disk reader, a disk file and a printer for maintaining recordsof the cash card system transactions.
 16. The system according to claim13, wherein said cash transaction register machine is interconnectedwith a data processing center by a data transmission network.
 17. Thesystem according to claim 14, wherein said transaction register machineincludes a main keyboard operable by the seller and responsive to theentry of the correct identification number in for selectively enteringthe cash amounts of each transaction in said register machine which inturn records the new cash balance on said cash card and simultaneouslyrecords said cash transaction on said magnetic recording means fordelivery to the data processing center for transferring the informationthereon to the respective cash card accounts.
 18. A system according toclaim 17, wherein said seller operable main keyboard includes a querykey for displaying the cash balance on a cash card, an enter key forentering the amount of the sale in said register machine, a sale key fordisplaying the total amount of the transaction, a credit key and a debitkey, a code key and arithmetic functions keys for selecting theoperation of said register machine in completing the sale transaction.19. A system according to claim 18, wherein said seller operable mainkeyboard has display windows for displaying with tight emitting elementsa personal identification number error, a void card, and otherinformation for security and for operation of said transaction registermachine.
 20. An electronic fund transfer system for transferring fundsfrom a bearer's to a transferee's account comprising:a card havingenciphered information recorded thereon including at least an availablecash balance and a first enciphering key recorded with no a.c. or d.c.bias and no saturation to carry out a money transfer transactionindependent of any other source of information, and a cash card terminalmachine including means for reading, recording, and displaying saidinformation on said card.
 21. A cash card system according to claim 20,wherein said cash card terminal machine includes means for transmittingsaid recorded information through a telephone line to a transactionregister machine for carrying out the cash transfer transaction.
 22. Acash card system according to claim 21, further comprising a transactionregister machine which includesmeans for reading information recorded onsaid cash card, enciphering and deciphering data, verifying the validityof said cash card, verifying that a user of said cash card is anauthorized card bearer, and modifying said information recorded on saidcash card.
 23. A cash card system according to claim 22, wherein saidregister machine includes magnetic recording means for permanentlystoring information regarding said cash transaction thereon.
 24. A cashcard system according to claim 20 further comprising a keyboard forentering a personal identification number.
 25. A method of uniquelyidentifying a card by enciphering information thereon comprising thesteps of:randomly generating a digital number, converting said digitalnumber to an analog signal, and recording said analog signal onto saidcard with a random mutation by recording with no a.c. or d.c. bias andno saturation.
 26. A method of verifying the validity any one of aplurality of presented cards each having information enciphered thereonin an analog signal comprising the steps of:reading said analog signalfrom said card, and determining whether said analog signal contains anya.c. or d.c. bias.
 27. A method of verifying that a user of anelectronic fund transfer system card is an authorized card bearer,comprising the steps of:(a) upon a first presentation of said card tothe system, randomly generating a digital number;converting said digitalnumber to an analog signal; recording said analog signal onto said cardwith a random mutation by recording with no a.c. or d.c. bias and nosaturation; reading said randomly mutated analog signal from said card;converting said randomly mutated analog signal to a digitalrepresentation thereof; and using said digital representation as a firstenciphering key along with personal identification number (PIN) datasupplied by said user as a second enciphering key to encipher onto saidcard an identifying datum which is uniformly used throughout saidsystem, and (b) and upon a subsequent presentation of said card to thesystem,reading said enciphered identifying datum from said card; readingsaid randomly mutated analog signal from said card; converting saidrandomly mutated analog signal to a digital representation thereof; andusing said digital representation as a first enciphering key along withPIN data supplied by said user as a second enciphering key to attempt todecipher said identifying datum, whereby a successful deciphering ofsaid identifying datum indicates that said user is an authorized cardbearer.
 28. A method of enciphering and recording onto a cardinformation used in an electronic fund transfer system, including anavailable cash balance, comprising the steps of:randomly generating adigital number; converting said digital number to an analog signal;recording said analog signal onto said card with a random mutation byrecording with no a.c. or d.c. bias and no saturation; reading saidrandomly mutated analog signal from said card; converting said randomlymutated analog signal to a digital representation thereof; using saiddigital representation as a first enciphering key along with personalidentification number (PIN) data supplied by a bearer of said card as asecond enciphering key to encipher said electronic fund transfer systeminformation; and recording said enciphered information onto said card.29. A method according to claim 28, wherein said steps are repeated witheach subsequent use of said card.